Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
182 Commits 2 Branches 0 Tags
ece783713e5908350e649533cf4e29cd6fe4d26a
Commit Graph

4 Commits

Author SHA1 Message Date
Michael Freno
0495ee5bd2 Auto-commit 2026-04-29 16:31 2026-04-29 16:31:27 -04:00
Michael Freno
0ff6c74871 FRE-709: Document duplicate recovery wake - FRE-635 already recovered via FRE-708 2026-04-26 20:23:14 -04:00
Michael Freno
754fce269f fix: implement critical security remediation for authentication and authorization 
- Add Clerk token verification to tRPC context (server/trpc/index.ts)
- Remove client-controlled authorId/reviewedById from revisions router
- Require JWT_SECRET environment variable, remove hardcoded fallback
- Add table name validation to prevent SQL injection in backup logic
- Fix TRPCContext type to use better-sqlite3 instead of LibSQL
- Update revisions router tests to use proper tRPC v11+ API
- Add resetInMemoryState function for test isolation

Security fixes address:
- Critical: Authentication bypass via missing token verification
- Critical: User impersonation via client-controlled IDs
- High: Insecure WebSocket defaults with hardcoded secrets
- High: SQL injection vulnerability in backup logic

All tests passing (24/24).
 2026-04-25 08:24:45 -04:00
Michael Freno
7c684a42cc FRE-600: Fix code review blockers 
- Consolidated duplicate UndoManagers to single instance
- Fixed connection promise to only resolve on 'connected' status
- Fixed WebSocketProvider import (WebsocketProvider)
- Added proper doc.destroy() cleanup
- Renamed isPresenceInitialized property to avoid conflict

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-25 00:08:01 -04:00